Apple’s Face ID Alone Deemed Too Insecure For European Banks

Apple's Face ID and Touch ID have become a staple of mobile banking in recent years.ASSOCIATED PRESS

Next year millions of people across Europe will suddenly find it harder to log in to their mobile bank account.

Biometric security, like fingerprints and Apple’s Face ID, have long been a staple of frictionless mobile banking, but new European Union payments regulations have deemed biometrics alone too insecure for mobile banking.

Instead, banks across the continent are planning a return to passwords, memorable phrases, security questions and card-readers.

Many European banks now offer biometric security by default in their banking apps.Tesco Bank.

“I can't see how it won't introduce more friction in the banking process,” Mark Curran, director of payments and open banking at Clydesdale and Yorkshire Bank, told Forbes.

The change comes as part of the final stage of implementing Europe’s Payment Services Directive 2 (PSD2) on September 14, 2019, that requires banks to use two-factor security for even basic things like logging into an account.

Under PSD2 biometrics like Face ID only count as one factor, and must be supplemented with either something you know (i.e., a password) or something you have (i.e., a token texted to the account holder or a separate device like a card reader).

The concern in the banking industry is that these changes will see a return to the clunky multi-step login processes of the early days of online and mobile banking, before off-the-shelf biometrics like Apple’s Touch ID and Face ID streamlined the process.

“Banks are wrestling with lots of internal systems and often don't have the ability to easily implement a great experience,” Simon Taylor, cofounder of fintech consultancy 11:FS, told Forbes.

With a year to go, specifics on how each bank will comply with the new rules are still unknown, and another question mark is over how one-click online checkouts, such as Amazon’s patented 1-Click, will respond.

According to PSD2, online transactions over a certain value should also be two-factor authenticated.

Challenger banks across the continent like Monzo, Starling Bank and N26 are growing in popularity across Europe, in part due to the fact that they remove much of the friction associated with traditional banking.

One possible solution mooted by industry experts is for banks to redesign their apps in a way that gets around the legislation.

For example, checking an account balance alone does not require two-factor authentication, according to PSD2, so an app could use biometrics to unlock a portion of the app, while keeping payments and account history behind a two-factor login.

The biggest challenge, according to Curran, will be explaining to millions of Europeans why their bank just got harder to use:

“Unless you're following European legislation, this is all going to come as a bit of a surprise.”

Amazon has not responded to Forbes on how it intends to implement PSD2 with regards to 1-Click.

I cover fintech, crypto and the sharing economy as a senior reporter for Forbes Europe. I've also written about European policy, property tech, cybersecurity and EU startup hubs. Prior to Forbes I was on the founding team of The Memo, London's fastest-growing business and...